b'          Office of Audits\n          Office of Inspector General\n          U.S. General Services Administration\n\n\n\n\n           Audit of GSA\xe2\x80\x99s Transition\n           From Lotus Notes to the Cloud\n           Report Number A120131/O/F/F12004\n           September 28, 2012\n\n\n\n\nA120131/O/F/F12004\n\x0c                        Office of Audits\n                        Office of Inspector General\n                        U.S. General Services Administration\n\n\n                                          REPORT ABSTRACT\n                                  Audit of GSA\xe2\x80\x99s Transition From Lotus Notes to the Cloud\nOBJECTIVES                        Report Number A120131/O/F/ F12004\n                                  September 28, 2012\nThe objective of this audit\nwas to evaluate GSA\xe2\x80\x99s             WHAT WE FOUND\nefforts to transition from the\n                                  We identified the following during our audit:\nLotus Notes environment to\ndetermine whether:                Finding 1 \xe2\x80\x93 Some aspects of the projected cost savings for the transition\n                                  cannot be verified because the OCIO has not updated the cost analysis or\n(1). The transition of email      maintained the supporting documentation.\n     and collaboration tools to\n     cloud services               Finding 2 \xe2\x80\x93 The OCIO cannot fully assess whether the transition project is\n     incorporated adequate        accomplishing its goals because the performance measures are unclear, lack\n     performance measures         targets, or were not updated.\n     and sufficient cost          Finding 3 \xe2\x80\x93 The OCIO did not perform an enterprise-wide assessment of the\n     justifications to realize    applications migrating to the cloud for redundancies, which could result in\n     the stated goals.            wasted resources.\n\n(2). The transition of existing\n     Lotus Notes applications     WHAT WE RECOMMEND\n     to other platforms,          We recommend that the GSA Chief Information Officer:\n     including cloud                 (1). Prepare an updated analysis/justification regarding the email and\n     platforms, incorporated              collaboration tools project savings using actual figures and implement\n     project management                   procedures for updating documentation related to the project savings\n     controls necessary for               analysis on a regular basis, as well as when significant changes\n     retiring Lotus Notes in a            occur.\n     timely manner.                  (2). Develop and implement a comprehensive performance measurement\n                                          program to effectively monitor the progress of the email and\n                                          collaboration tools transition project in accomplishing the project\n                                          objectives and goals.\n                                     (3). Conduct an assessment of the current cloud environment to identify\n                                         duplicate applications and take necessary actions to consolidate or\nFinance and Information        eliminate any redundancies.\nTechnology Audit Office\n                        MANAGEMENT COMMENTS\n1275 First Street, NE\nRoom 227                Management agreed with our findings and recommendations. The GSA\nWashington, DC 20417    CIO\xe2\x80\x99s complete response is presented in Appendix C.\n(202) 357-3620\n\n\n      A120131/O/F/F12004                              i\n\x0c                   Office of Audits\n                   Office of Inspector General\n                   U.S. General Services Administration\n\n DATE:             September 28, 2012\n TO:               Casey Coleman\n                   Chief Information Officer (I)\n\n FROM:             William Salamon\n                   Audit Manager (JA-F)\n SUBJECT:          Audit of GSA\xe2\x80\x99s Transition from Lotus Notes to the Cloud\n                   Report Number A120131/O/F/F12004\n\nThis report presents the results of our Audit of GSA\xe2\x80\x99s Transition from Lotus Notes to the\nCloud. Our findings and recommendations are summarized in the Report Abstract.\nInstructions regarding the audit resolution process can be found in the email that\ntransmitted this report.\n\nYour written comments to the draft report are included in Appendix C of this report.\n\nIf you have any questions regarding this report, please contact me or any member of\nthe audit team at the following:\n\n   William Salamon     Audit Manager     william.salamon@gsaig.gov   (202) 357-3634\n\n   Sonya Braxton       Auditor-in-       sonya.braxton@gsaig.gov     (202) 357-3648\n                       Charge\n   Scott Dixon         Auditor           scott.dixon@gsaig.gov       (202) 357-3627\n\n\nOn behalf of the audit team, I would like to thank you and your staff for your assistance\nduring this audit.\n\n\n\n\nA120131/O/F/F12004                        ii\n\x0cTable of Contents\nIntroduction .............................................................................................................. 1\n\nResults\nFinding 1 \xe2\x80\x93 Some aspects of the projected cost savings for the transition cannot be\n            verified because the OCIO has not updated the cost analysis or\n            maintained the supporting documentation ............................................... 3\nFinding 2 \xe2\x80\x93 The OCIO cannot fully assess whether the transition project is\n            accomplishing its goals because the performance measures are\n            unclear, lack targets, or were not updated ............................................... 4\nFinding 3 \xe2\x80\x93 The OCIO did not perform an enterprise-wide assessment of the\n            applications migrating to the cloud for redundancies, which could result\n            in wasted resources................................................................................. 4\nRecommendations ..................................................................................................... 5\nManagement Comments ............................................................................................ 5\nConclusion ................................................................................................................ 6\n\nAppendixes\nAppendix A \xe2\x80\x93 Purpose, Scope, and Methodology ............................................. A-1\nAppendix B \xe2\x80\x93 Performance Measurement Issues ............................................. B-1\nAppendix C \xe2\x80\x93 Management Comments .............................................................. C-1\nAppendix D \xe2\x80\x93 Report Distribution ....................................................................... D-1\n\n\n\n\n    A120131/O/F/F12004                                         iii\n\x0cIntroduction\nOn December 9, 2010, the U.S. Chief Information Officer issued the 25 Point\nImplementation Plan to Reform Federal Information Technology Management. The\npurpose of the plan is to assist agencies in leveraging information technology to create\na more efficient and effective government and deliver more value to the American\ntaxpayer. A major facet of the plan is the \xe2\x80\x9cCloud First\xe2\x80\x9d policy, which required that each\nagency Chief Information Officer identify three \xe2\x80\x9cmust move\xe2\x80\x9d services to cloud solutions\nand retire the corresponding legacy systems. The General Services Administration\n(GSA) identified email, power management services, and correspondence tracking as\nthe three \xe2\x80\x9cmust move\xe2\x80\x9d services to be migrated to the cloud environment.\n\nGSA\xe2\x80\x99s Lotus Notes infrastructure contained thousands of applications, many of which\nwere redundant or dormant, developed throughout GSA and maintained on Lotus Notes\nservers and databases housed at 17 different locations. The infrastructure lacked the\nlevel of integrated features needed for conducting business in an efficient manner. To\nreduce its in-house system maintenance burden and provide its users with the most up-\nto-date commercial service offerings, GSA opted to migrate its email system to the\ncloud environment in accordance with the "Cloud First" mandate. In addition, GSA is\nalso in the process of decommissioning or migrating thousands of legacy Lotus Notes\napplications from the infrastructure to new platforms.\n\nIn December 2010, GSA awarded a firm-fixed priced contract for the acquisition of email\nand collaboration services to the Unisys Corporation. As a result of this contract, GSA\nbecame the first federal agency to move its entire staff to a single cloud-based email\nsystem in June 2011. This solution was expected to provide faster upgrades, reduce\nmanagement costs, curtail the need for lengthy and costly procurements of information\ntechnology assets, and improve customer service. In addition, users would have\naccess to collaboration tools such as Google Docs, Google Calendar, and Google\nSites. GSA estimated that it would save about $15 million from the email transition over\nfive years.\n\nIn August 2011, GSA awarded a 5-year contract to Salesforce.com for its customer\nrelationship management modules, Force.com application development platform, and\nthe Chatter collaboration suite. In an effort to decommission or migrate thousands of\napplications built in the Lotus Notes collaboration environment, GSA is primarily using\nthe Force.com platform to transition these applications to the cloud.\n\nThe objective of this audit was to evaluate GSA\xe2\x80\x99s efforts to transition from the Lotus\nNotes environment to determine whether:\n\n  (1). The transition of email and collaboration tools to cloud services incorporated\n       adequate performance measures and sufficient cost justifications to realize the\n       stated goals.\n\n\n\n\nA120131/O/F/F12004                      1\n\x0c  (2). The transition of existing Lotus Notes applications to other platforms, including\n       cloud platforms, incorporated project management controls necessary for retiring\n       Lotus Notes in a timely manner.\n\nSee Appendix A \xe2\x80\x93 Purpose, Scope, and Methodology for additional details.\n\n\n\n\nA120131/O/F/F12004                     2\n\x0cResults\nFinding 1 \xe2\x80\x93 Some aspects of the projected cost savings for the transition cannot\nbe verified because the OCIO has not updated the cost analysis or maintained the\nsupporting documentation.\n\nThe OCIO projected that the transition of the email and collaboration tools from Lotus\nNotes to Google would save $15 million over five years. However, the OCIO has not\nupdated and maintained the supporting cost analysis associated with either its\nestimates of future benefits or the cost comparisons. As a result, we were unable to\nverify whether the OCIO is making adequate progress towards its projected savings.\n\nThe OCIO identified three areas where savings were projected as a result of the\ntransition: (1) government staffing, (2) infrastructure (e.g. licensing, maintenance, and\nhardware), and (3) contractor support. The OCIO was able to provide supporting\ndocumentation to verify the infrastructure costs for both the Lotus Notes and Google\nenvironments.      The licensing costs for Google indicated that GSA realized\napproximately $182,000 in additional savings than initially projected; however, the cost\nanalysis to include the actual savings associated with Google licensing has not been\nupdated. In addition, the OCIO was unable to provide documentation supporting its\nanalysis regarding the initial projected savings for government staffing and contractor\nsupport. The OCIO stated that it was unable to locate the supporting cost analysis due\nto staffing changes within the organization. As a result, the OCIO is not aware of the\namount of potential costs or savings incurred for this project and misstated savings\ncould impact future funding decisions.\n\nTo assess its progress toward cost savings from the transition, the OCIO should\ndevelop a new cost analysis for the project and ensure that it is maintained. According\nto the Office of Management and Budget (OMB), elements of a benefit-cost or cost-\neffectiveness analysis should be explicit about the underlying assumptions used to\narrive at estimates of future benefits and costs. 1 The analysis should include a\nstatement of the assumptions, the rationale behind them, and a review of their strengths\nand weaknesses.\n\n\n\n\n1\n  OMB A-94: Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs Section\n5(c)(2)\n\n\n\n\nA120131/O/F/F12004                         3\n\x0cFinding 2 \xe2\x80\x93 The OCIO cannot fully assess whether the transition project is\naccomplishing its goals because the performance measures are unclear, lack\ntargets, or were not updated.\n\nThe OCIO established four goals for the email and collaboration tools transition project\nas follows:\n    \xe2\x80\xa2 Modernization of Email;\n    \xe2\x80\xa2 Provision of an Effective Collaborative Environment;\n    \xe2\x80\xa2 Reduction of the Government\xe2\x80\x99s in-house system maintenance burden; and\n    \xe2\x80\xa2 Application of appropriate security and privacy safeguards.\n\nHowever, the performance measures used to track the progress towards each of the\nstated project goals are unclear, lack targets, or have targets that were not amended to\nreflect the current environment. For example, the OCIO has not updated its cost\nanalysis to reflect its progress in accomplishing the performance measure of decreasing\nthe in-house maintenance burden by reducing email support staff (see Appendix B for\nthe full list of goals, performance measures, and related issues).\n\nThis occurred because the OCIO has not performed a comprehensive assessment of\nthe identified performance measures to ensure that they are consistent with the actual\nprogress of the transition project. According to OMB, 2 agencies must establish and\nvalidate a performance measurement baseline with clear cost, schedule, and\nperformance goals. Further, the Government Accountability Office defines performance\nmeasurement as the ongoing monitoring and reporting of program accomplishments,\nparticularly progress toward pre-established goals. 3 Without adequate performance\nmeasures that are clear and that include established targets, the OCIO cannot fully\nassess how well the transition project is progressing in accomplishing its goals or\ndetermine areas in need of improvement.\n\n\nFinding 3 \xe2\x80\x93 The OCIO did not perform an enterprise-wide assessment of the\napplications migrating to the cloud for redundancies, which could result in\nwasted resources.\n\nThe OCIO did not establish sufficient controls to ensure that redundant applications\nwere not migrated to the cloud environment. As part of the application migration efforts,\nthe Service and Staff Offices took a decentralized approach for identifying duplicate\napplications within their organizations. As a result, each Service and Staff Office\ndeveloped an inventory of applications to decommission or migrate to other platforms.\nHowever, the OCIO did not perform an analysis of the resulting application inventories\nto ensure that duplicate applications between organizations were identified and\n\n\n2\n   OMB Memorandum 05-23: Improving Information Technology Project Planning and Execution,\nAttachment A.\n3\n  GAO-11-646SP: Performance Measurement and Evaluation Definition and Relationships.\n\n\n\nA120131/O/F/F12004                      4\n\x0cremoved. At least one redundant application 4 was migrated to the cloud environment\nand it is uncertain if others exist. To control future application development in the cloud,\nthe OCIO established the Center of Excellence (COE) as an enterprise-wide\ngovernance structure. The COE will act as a decision center that will review every\nrequest to build an application for redundancies. Without the proper controls to ensure\nthat redundant applications do not exist, the agency could be developing and supporting\nother applications with similar functionality. This could result in wasted resources,\ninefficiencies, and the potential for the overdevelopment of applications in the cloud.\n\nRecommendations\n\nWe recommend that the GSA Chief Information Officer:\n\n    (1). Prepare an updated analysis/justification regarding the email and collaboration\n         tools project savings using actual figures and implement procedures for updating\n         documentation related to the project savings analysis on a regular basis, as well\n         as when significant changes occur.\n    (2). Develop and implement a comprehensive performance measurement program to\n         effectively monitor the progress of the email and collaboration tools transition\n         project in accomplishing the project objectives and goals.\n    (3). Conduct an assessment of the current cloud environment to identify duplicate\n         applications. Take the necessary actions to consolidate or eliminate any\n         duplicate applications that are identified through the assessment.\n\n\nManagement Comments\n\nManagement agreed with our findings and recommendations. The GSA CIO\xe2\x80\x99s complete\nresponse is presented in Appendix C.\n\n\n\n\n4\n When asked if duplicate applications currently exist in the cloud environment, the OCIO stated that it\nwas aware of one instance of an application known to be duplicative across organizations, the Project\nTracking Tool. The OCIO stated that this redundancy has been resolved.\n\n\n\nA120131/O/F/F12004                            5\n\x0cConclusion\nAlthough GSA\xe2\x80\x99s OCIO has stated its goals for the email and collaboration tools\ntransition, it has not established adequate performance measures to track and monitor\nthe progress of the project to ensure it is accomplishing its intended goals. Also, the\nOCIO has projected savings for the overall transition project; however, it has not\nupdated and maintained the supporting cost analysis used to arrive at these projections.\nTherefore, we were unable to verify whether adequate progress is being made toward\nthe projected savings goals. In addition, the OCIO and the Service and Staff Offices\nhave plans in place to continue migrating their applications from the Lotus Notes\ncollaboration environment to other platforms using the enterprise-wide governance\nstructure for increased oversight. However, this control was not in place across the\nagency to ensure that duplicate applications were not migrated at the onset of the\ntransition project.\n\nTaking the recommended steps in this report to improve the management of GSA\xe2\x80\x99s\nefforts to transition from the Lotus Notes environment to the cloud will better enable the\nOCIO to track the progress of the current transition project as well as prepare for future\ntransitions to other cloud computing solutions.\n\n\n\n\nA120131/O/F/F12004                      6\n\x0cAppendix A \xe2\x80\x93 Purpose, Scope, and Methodology\nPurpose\n\nThe Office of Inspector General included this audit in its fiscal year 2012 audit plan.\n\nScope\n\nThe audit\xe2\x80\x99s scope included: (1) the performance measures and cost justification related\nto GSA\xe2\x80\x99s transition of email and collaboration tools to its new platform and (2) project\nmanagement controls related to the transition of existing Lotus Notes applications to\nother platforms.\n\nMethodology\n\nTo accomplish our objectives, we:\n\n   \xe2\x80\xa2    Reviewed prior audit reports and implementation reviews, including those related\n        to the Lotus Notes infrastructure issued by the GSA Office of Inspector General;\n   \xe2\x80\xa2    Reviewed policies, procedures, publications, memorandums, and circulars\n        issued by the Office of Management and Budget, National Institute of Standards,\n        and the GSA Office of the Chief Information Officer;\n   \xe2\x80\xa2    Reviewed GSA\xe2\x80\x99s Statement of Objectives for Email and Collaborative Services\n        and associated contract documentation;\n   \xe2\x80\xa2    Obtained the Lotus Notes application inventories maintained by the OCIO, Public\n        Buildings Service (PBS), Federal Acquisition Service (FAS), and the Office of the\n        Chief People Officer (OCPO);\n   \xe2\x80\xa2    Reviewed application migration plans from Lotus Notes to other platforms for the\n        OCIO, PBS, FAS, and OCPO;\n   \xe2\x80\xa2    Obtained and reviewed prior year invoices associated with the licensing,\n        hardware, and maintenance costs for the legacy Lotus Notes infrastructure and\n        Google licensing costs;\n   \xe2\x80\xa2    Obtained and reviewed executive briefings compiled by the OCIO presenting the\n        email and collaboration tools transition project goals, projected savings, and\n        progress;\n   \xe2\x80\xa2    Selected a random sample of applications from the inventory lists provided by the\n        OCIO, PBS, and FAS and verified the existence of the applications migrated from\n        Lotus Notes to other platforms;\n   \xe2\x80\xa2    Reviewed documentation related to the internal and enterprise-wide governance\n        processes used by the OCIO, PBS, FAS, and OCPO to review and approve the\n        development of an application on a new platform;\n   \xe2\x80\xa2    Conducted meetings and corresponded with personnel from the OCIO regarding\n        the project performance measures and targets; and\n   \xe2\x80\xa2    Conducted meetings with the OCIO, PBS, FAS, and OCPO regarding the\n        migration planning process.\n\n\nA120131/O/F/F12004                      A-1\n\x0cWe conducted the audit between May 2012 and August 2012 in accordance with\ngenerally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nInternal Controls\n\nOur evaluation of internal controls was limited to those controls that allowed us to\nreasonably address our audit objectives. This included an evaluation of internal\ncontrols established by the OCIO for monitoring the progress of the project and cost\njustifications for GSA\xe2\x80\x99s transition of email and collaboration tools to its new platform.\nThis also included evaluating internal controls related to project management for the\ndecommissioning and migration of applications from the Lotus Notes infrastructure to\nother platforms for the OCIO, PBS, FAS, and the OCPO. This audit did not include the\nevaluation of all internal controls related to GSA\xe2\x80\x99s transition from Lotus Notes to other\nplatforms.\n\n\n\n\nA120131/O/F/F12004                     A-2\n\x0cAppendix B \xe2\x80\x93 Performance Measurement Issues 1\n\n                             \xe2\x80\xa2 Performance Measure: Retirement of the legacy Lotus Notes environment2\n                             \xe2\x80\xa2 Target: Successful migration to new email system without significant impact to agency\n                               operations. *Significant impact was defined as large sections of GSA being unable to send\n                               and receive emails for more than 1 business day, and 80% of blackberry devices\n                               operational within 10 business days after conversion.\n    Goal 1: Modernization\n           of Email       \xe2\x80\xa2 Issue: No issues were identified.\n\n\n\n\n                              \xe2\x80\xa2 Performance Measure: Survey results from end users\n\n                              \xe2\x80\xa2 Target: Equal or higher use of Instant messaging compared to the Lotus Notes\n                                environment (30% or more GSA associates consistently using instant messaging) and\n                                significant adoption of Google Docs for collaboration.\n    Goal 2: Provision of an \xe2\x80\xa2 Issue: The stated performance measure referencing the IT survey results does not have a\n    Effective Collaborative clearly established target for the adoption of Google Docs for collaboration.\n         Environment\n\n\n\n                              \xe2\x80\xa2 Performance Measure: Cost reduction measures such as the number of servers\n                                decommissioned (to reduce energy) and level of effort to maintain system (reduction in\n                                FTEs and training costs)\n                              \xe2\x80\xa2 Target: Cost reduction to manage and support the email environment achieved\n                                successfully. Currently on target to achieve cost reductions estimated over the 5 year\n    Goal 3: Reduction of        period.\n    the Government\'s In-\n       house System           \xe2\x80\xa2 Issue: The stated target was not updated to reflect that the performance measure of\n    Maintenance Burden          reducing the support FTE costs for email has not progressed as planned.\n\n\n\n                              \xe2\x80\xa2 Performance Measure: FISMA Metrics\n                              \xe2\x80\xa2\n\n\n\n                              \xe2\x80\xa2 Target: Favorable FISMA compliance audit results for GSA\xe2\x80\x99s implementation of Google\n                                Apps environment during year 1 of operations.\n    Goal 4: Application of    \xe2\x80\xa2 Issue: The stated target is not clearly measurable and the timeframe only included the first\n    Appropriate Security\n         and Privacy\n                                year of a 5 year project.\n         Safeguards\n\n\n\n\n1\n  In response to our request for the performance measures and targets used to evaluate the success of\nthe email and collaboration tools transition project, the OCIO provided the statements above regarding\nthe project goals, performance measures, and targets currently used. We prepared this chart to display\nthe OCIO\xe2\x80\x99s response and present the issues we identified during the audit.\n2\n  The Lotus Notes environment refers to the legacy email and collaboration tools environment.\n\n\nA120131/O/F/F12004                                       B-1\n\x0cAppendix C \xe2\x80\x93 Management Comments\n\n\n\n\nA120131/O/F/F12004    C-1\n\x0cAppendix D \xe2\x80\x93 Report Distribution\nChief Information Officer (I)\n\nDeputy Chief Information Officer (ID)\n\nCommissioner, Public Buildings Service (P)\n\nActing Commissioner, Federal Acquisition Service (Q)\n\nChief People Officer (C)\n\nDivision Director, GAO/IG Audit Response Division (H1C)\n\nAudit Liaison, Office of the Chief Information Officer (I)\n\nAudit Liaison, Public Buildings Service (P)\n\nAudit Liaison, Federal Acquisition Service (Q)\n\nAudit Liaison, Office of the Chief People Officer (C)\n\nAssistant IG for Auditing (JA)\n\nDeputy Assistant IG for Investigations (JID)\n\nDirector, Audit Planning, Policy, and Operations Staff (JAO)\n\n\n\n\nA120131/O/F/F12004                       D-1\n\x0c'